I'm running a pair of openldap 2.4 servers which replicate cn=config DB in
Is there a way to configure a RO user (like user from BDB) for cn=config DB,
so should someone get a hold of it's password, and still will not be able to
change the configs ?
I am looking for help with setup of security with my openldap config.
I currently have RHEL 6 with ldap:// and ldaps:// working for both auth binds and anon binds.
What I want to do is allow anon binds on ldap:// and require authentication over an encrypted stream on ldaps://
my current access is set to:
access to attrs=userPassword
by anonymous auth
by self read
by * none
access to *
by * read
I do not have a security statement in my slapd.conf.
I have tried a few things such as changing the userpassword access to:
access to userPassword
> by anonymous auth sasl_ssf=128 break
> by anonymous auth tls=128
> by self read
but the syntax is not correct and the config will not load with above.
Any help would be great.
Is it possible to prevent anonymous and unauthenticated binds to ldaps:// 636 but allow them on ldap:// 389?
I want to allow staff to query my ldaps:// outside of my network while requiring them to login to do so but allow anyone to bind (anonymous, unauthenticated, or authenticated) internally on ldaps//: 389.
Anonymous bind can be disabled by "disallow bind_anon" and Unauthenticated bind mechanism is disabled by default. But if I use "disallow bind_anon it stops in on both ports. I want to stop it just on ldaps://.
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
Is it possible to use email to login to LDAP ?
I'm working on mail management panel where users are identified by
emails. Now I'm searching tree for DN of particular email and then I'm
logging with DN and password, but I'd like to avoid this search if
I'm unaccustomed to the new (non-slapd.conf) way of adding ACL/ACI's.
I'm trying exclude anonymous access to the password. We've tried this to no affect:
olcAccess: to dn.base="cn=users,dc=lib-mac,dc=local" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to attrs=userPassword
by self write
by dn.exact="uid=diradmin,cn=users,dc=lib-mac,dc=local" read
by * auth
olcAccess: to dn.subtree=""
by dn.exact="uid=diradmin,cn=users,dc=lib-mac,dc=local" write
by users read
by anonymous auth
$65/Hr Job - 25 Openings
Part-Time job ($20-$65/hr). Requirements: Home Internet Access
I'm using overlay slapo-lastbind using openldap head.
I receive a warning when invoking slapcat to do a full backup of my user
database. This is the output of my job:
[ldap@ldap03 tmp]$ /usr/local/openldap/sbin/slapcat -b "dc=lan,dc=mycorp.it"
UNKNOWN attributeDescription "AUTHTIMESTAMP" inserted.
The backup seems done correctly.
This warning could be due to an error of mine?
If not, being this a contrib overlay, should I file an ITS anyway?
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
A package I use recently updated the schema files related to the package,
what is the correct way to go about replacing the schemas that were already
loaded into cn=schema?
My bruteforce solution was most likely not the correct way.
Thanks and best regards,
This may have been discussed, but i can not seem to find out why the
transaction logs are not getting removed when I use DB_LOG_AUTOREMOVE in
DB_CONFIG. This is on a Redhat 5 openldap 2.3 server.
DB_CONFIG has the following:
Doing slapd_db_archive shows about 134 unused files.
I then did the following (is this the correct procedure to use when
> serivice ldap stop
> Edited DB_CONFIG
> service ldap start
The files are still there. I also manually did a checkpoint with
"slapd_db_checkpoint -1" and verified the transaction log time changed.
Reran "slapd_db_archive" and it outputs the same files. I read that
earlier versions required a patch for this to work, but I was not sure
about this one. I'm unclear on when the removal is suppose to take
place, but it doesn't seem to be working.